Comodo Issued Most Certificates for Signed Malware on VirusTotal

Comodo CA (now known as Sectigo) is the Certificate Authority (CA) that issued the largest number of digital certificates used to sign malware samples found on VirusTotal over the past year, Chronicle’s security researchers have discovered.

Data collected within a 365 day span (with an initial start date of May 7, 2019) revealed that, out of a total of 3,815 signed malware samples, 1,775 used a digital certificate issued by Comodo RSA Code Signing CA.

The process of cryptographically signing code was meant to provide an operating system with the means to discriminate between legitimate and potentially malicious software. The system relies on a chain of trust, where certificates are issued by trusted CAs that have the backing of a trusted parent CA.

Malware authors are taking advantage of this inherited trust model to purchase certificates directly or via resellers. Regardless of how the purchase is made, there is a lack of due diligence into customers, Chronicle says.

At the moment, the researchers note, the only real tool to combat certificate abuse is the revocation of that certificate, a process through which the CA says the certificate is no longer trustworthy, and which introduces a delay in which the signed malware may be considered “trusted”.

For their investigation, Chronicle’s security researchers looked on VirusTotal at signed Windows PE Executable files, filtered out a large number of samples and grayware files, and then identified the CA responsible for each of the samples.

Their analysis revealed that Comodo was responsible for the largest number of signed samples, at 1,775, with thawte at 509, VeriSign at 261, Sectigo (formerly Comodo) at 182, Symantec at 131, and DigiCert at 118 rounding up the list of CAs that issued over 100 certificates for malware.

“CAs who signed certificates of 100 or more malware samples account for nearly 78% of signed samples uploaded to VirusTotal,” Chronicle underlines.

“The CA with the most samples has nearly 3.5x more samples than the next highest which in turn has almost 2x more than the next highest. The pattern quickly falls off as we move down the line of the top 10 CAs issuing abused certificates,” the security researchers continue.

The investigation also revealed that 21% of samples had their certificates revoked by May 8, 2019, which indicates that the CAs are taking some action.

“Note that for the revocation of a certificate to be reflected in the VirusTotal dataset, the sample must be rescanned following the revocation request by the responsible CA,” the researchers note.

The increasing abuse of code signing certificate by financially motivated threat actors shows that trust based security is flawed. Operators of crime-focused malware too have access to code signing certificates, something that was previously available only to nation-state threat actors, which used to steal code signing certificates from victims.

“Expect to see signed malware reported more frequently,” Chronicle says.

“As a policy, Sectigo revokes certificates used in malware attacks and does not issue them to known malware purveyors," Tim Callan, Sectigo's Senior Fellow, told SecurityWeek. "At its last general meeting, the CA/Browser Forum voted to establish a Working Group specifically for code signing. This Working Group is looking into responses to malware signing among other matters. We encourage security researchers to report instances of malware employing Sectigo certificates at [email protected]"